While Microsoft has not yet said when it will release a patch to fix an under-attack flaw in its server software, most properly protected servers should not be vulnerable.
"Any machine that gets successfully hit by this is poorly set up," says Ronald O'Brien, a senior security analyst at Sophos, a business security company.
The Delbot worm (known as Delbot, Nirbot, or Rinbot) exploits a zero-day flaw in the Domain Name System service on servers running Windows Server 2000 Service Pack 4 and Windows Server 2003 Service Pack 1 and Service Pack 2. Following a successful attack, the worm infects the machines with a 'bot' type of malware that gives the attacker remote control over the server, according to Sophos.
DNS is essential for all internet traffic, and by necessity many DNS servers are publicly accessible. However, attackers can reach the vulnerability only through DNS's Remote Procedure Call interface, rather than directly through the DNS service. And on any publicly accessible machine the RPC interface should be blocked by a firewall, O'Brien says.
In a posted alert update regarding the attacks, the Internet Storm Center, which tracks ongoing internet attacks, notes that "most public DNS servers should not be listening on the RPC ports”. Nevertheless, the post lists two server setups that could be vulnerable: multipurpose Windows servers used by hosting providers, and active-directory servers in internal networks.
In its security advisory, Microsoft provides instructions for a workaround that uses Registry changes to disable the RPC interface. The advisory also lists server ports that should be blocked by a firewall.
Microsoft is considering releasing an early patch to fix the vulnerability before the company's next regular patch date on 8 May.